b'           Audit Report\n\n\n\n\nSensitive Information at Social\nSecurity Administration Offices\n\n\n\n\n    A-01-13-13025 | October 2013\n\x0cMEMORANDUM\n\n\nDate:      October 18, 2013                                                   Refer To:\n\nTo:        The Commissioner\nFrom:      Inspector General\nSubject:   Sensitive Information at Social Security Administration Offices (A-01-13-13025)\n\n           The attached final report presents the results of our audit. Our objective was to determine\n           whether sensitive information, such as personally identifiable information, in Social Security\n           Administration offices was at risk for disclosure to the public.\n\n           If you wish to discuss the final report, please call me or have your staff contact\n           Steven L. Schaeffer, Assistant Inspector General for Audit, at (410) 965-9700.\n\n\n\n\n                                                           Patrick P. O\xe2\x80\x99Carroll, Jr.\n\n           Attachment\n\x0cSensitive Information at Social Security Administration Offices\nA-01-13-13025\n\nOctober 2013                                                                Office of Audit Report Summary\n\nObjective                                   Our Findings\n\nTo determine whether sensitive              In April 2013, we made unannounced visits to 38 SSA offices:\ninformation, such as personally             24 field offices, 12 hearing offices, and 2 Social Security card\nidentifiable information (PII), in Social   centers. During those visits, we either observed or overheard\nSecurity Administration (SSA) offices       sensitive information at risk in 13 (34 percent) of the 38 offices we\nwas at risk for disclosure to the public.   visited.\n\nBackground                                  For example, at the front counter area of one field office, we\n                                            observed a Social Security card (with name and SSN), a letter from\nGenerally, SSA cannot conduct               SSA to a beneficiary (with their name and address), and a printed\nbusiness without exchanging PII and         application for benefits (with the applicant\xe2\x80\x99s name, SSN, and claim-\nother sensitive information with the        specific information). These documents are common in the daily\npublic. PII can be used to distinguish      conduct of business at SSA offices. Additionally, SSA could not\nor trace that individual\xe2\x80\x99s identity, such   control how careful the public was with sensitive information, even\nas name, Social Security number             though staff remind visitors of the need to be careful.\n(SSN), or date of birth.\n                                            Conversely, although offices generally were not expecting our\nSafeguarding sensitive information has      visits, we did not observe sensitive information at risk in the\nbeen a priority for SSA since its           remaining 25 offices (66 percent) visited.\ncreation in 1935. The first regulation\nthe Social Security Board adopted           Sensitive information, including PII, is at risk for inadvertent\naddressed privacy and the disclosure of     disclosure in SSA offices where the public transacts business.\nSocial Security records. Subsequent         Recognizing this, the Agency has taken steps to safeguard sensitive\nregulations and laws, including the         information, including emphasizing to all employees their duty to\nPrivacy Act of 1974, further defined        protect this information and building privacy protections into the\nthe Agency\xe2\x80\x99s responsibilities to protect    physical design of offices.\nsensitive information. Accordingly,\nthe Agency requires that employees          Our Conclusion\nprotect PII, has established guidance\nand resources for employees, and            SSA should continue to remind staff on an on-going basis of the\nannually reminds all employees of that      importance of protecting sensitive information.\nrequirement and the availability of\nthose resources.\n\x0cTABLE OF CONTENTS\nObjective ..........................................................................................................................................1\nBackground ......................................................................................................................................1\n     SSA Safeguards for Sensitive Information ................................................................................2\n     SSA Offices We Visited ............................................................................................................3\nResults of Review ............................................................................................................................4\nConclusion .......................................................................................................................................5\nAgency Comments ...........................................................................................................................5\nAppendix A \xe2\x80\x93 Scope and Methodology ..................................................................................... A-1\nAppendix B \xe2\x80\x93 Offices Visited .................................................................................................... B-1\nAppendix C \xe2\x80\x93 Agency Comments .............................................................................................. C-1\nAppendix D \xe2\x80\x93 Major Contributors.............................................................................................. D-1\n\n\n\n\nSensitive Information at SSA Offices (A-01-13-13025)\n\x0cABBREVIATIONS\nFISMA                Federal Information Security Management Act of 2002\n\nPII                  Personally Identifiable Information\n\nSSA                  Social Security Administration\n\nSSN                  Social Security Number\n\n\n\n\nSensitive Information at SSA Offices (A-01-13-13025)\n\x0cOBJECTIVE\nOur objective was to determine whether sensitive information, such as personally identifiable\ninformation (PII), 1 in Social Security Administration (SSA) offices was at risk for disclosure to\nthe public.\n\nBACKGROUND\nSafeguarding sensitive information has been a priority for SSA since its creation in 1935. The\nfirst regulation the Social Security Board adopted addressed privacy and the disclosure of Social\nSecurity records. Subsequent regulations and laws, including the Privacy Act of 1974, 2 further\ndefined the Agency\xe2\x80\x99s responsibilities to protect sensitive information.\n\nAccordingly, SSA (a) requires that employees protect PII, (b) established guidance and resources\nfor employees, and (c) annually reminds all employees of that requirement and the availability of\nthose resources. Additionally, (in response to Office of Management and Budget requirements), 3\nSSA employees sign a statement every year acknowledging that they have read and understood\nthe Agency\xe2\x80\x99s annual reminder on safeguarding PII.\n\nSSA established field offices, hearing offices, and Social Security card centers for the public to\ntransact business. Generally, SSA cannot conduct business without exchanging PII and other\nsensitive information with the public. Although designed in a variety of layouts that separate the\npublic from employee work areas, all offices have areas where the public and SSA staff interact.\nFor example, all offices have a reception area where members of the public typically provide an\nSSA employee with their name and Social Security number (SSN). Some field offices have an\nemployee work area near the reception area where claims representatives interview the public for\nbenefit applications, and members of the public circulate through this area escorted by SSA staff.\nIn other offices, claims representatives conduct benefit application interviews at their desks in\nthe staff work area.\n\n\n\n\n1\n  PII is \xe2\x80\x9c. . . any information about an individual maintained by an agency, including (1) any information that can be\nused to distinguish or trace an individual\xe2\x80\x99s identity, such as name, social security number, date and place of birth,\nmother\xe2\x80\x99s maiden name, or biometric records; and (2) any other information that is linked or linkable to an\nindividual, such as medical, educational, financial, and employment information.\xe2\x80\x9d U.S. Department of Commerce,\nNational Institute of Standards and Technology, Guide to Protecting the Confidentiality of Personally Identifiable\nInformation (PII), Special Publication 800-122, \xc2\xa7 2.1, April 2010, p. 2\xe2\x80\x931, citing GAO Report 08-536, Privacy:\nAlternatives Exist for Enhancing Protection of Personally Identifiable Information, May 2008.\n2\n    Privacy Act of 1974, 5 U.S.C. \xc2\xa7 552a.\n3\n Office of Management and Budget Memorandum M-07-16, Safeguarding Against and Responding to the Breach\nof Personally Identifiable Information, May 22, 2007.\n\n\n\nSensitive Information at SSA Offices (A-01-13-13025)                                                                 1\n\x0cSSA Safeguards for Sensitive Information\nThe Agency stresses the importance of protecting sensitive information through a variety of\nefforts.\n\n\xe2\x80\xa2   Training: SSA teaches privacy as a service principle and core value as one of the first\n    lessons for newly hired employees whose jobs involve direct public contact. 4 Employees\n    may also access video-on-demand training on safeguarding PII.\n\n\xe2\x80\xa2   Annual Reminder: SSA formally reminds all employees each year of their duties and\n    responsibilities under the Privacy Act and requires that employees protect PII. The Agency\n    requires that employees who have access to PII sign a statement acknowledging they have\n    read and understood the Agency\xe2\x80\x99s annual reminder document on safeguarding PII.\n\n\xe2\x80\xa2   Resources: SSA provides a link to PII resources on the main page of its Intranet site. The\n    Agency maintains multiple online resources for employees to research and reference Agency\n    PII policy and guidance. This includes a Website that provides \xe2\x80\x9cone-stop-shopping\xe2\x80\x9d for\n    reporting the disclosure of PII; policy related to specific issues, such as email containing PII\n    and disposal of documents containing PII; and links to online training on specific PII-related\n    topics.\n\n\xe2\x80\xa2   Special Efforts: SSA incorporates the safeguarding of privacy as a topic in ongoing training\n    and reminder efforts, such as the information security bulletins issued periodically by the\n    Office of the Chief Information Officer. As part of its \xe2\x80\x9cThink Twice First\xe2\x80\x9d campaign, SSA\n    has featured PII or privacy-related security topics at least twice since January 2012. 5\n    Additionally, we observed that some managers made local efforts, such as\n\n    \xef\x82\xa7    posting signs in public areas\xe2\x80\x94including near trash bins\xe2\x80\x94reminding the public to\n         safeguard PII;\n    \xef\x82\xa7    checking trash bins in public areas to remove any PII;\n    \xef\x82\xa7    removing trash bins in public areas;\n    \xef\x82\xa7    providing for public use a secure bin for documents to be shredded; and\n    \xef\x82\xa7    instructing staff to ask members of the public to write down rather than say aloud their\n         SSNs.\n\n\n\n\n4\n Teleservice (800 Number) representatives, service representatives, claims representatives, benefit authorizers, and\nclaims authorizers.\n5\n  The \xe2\x80\x9cThink Twice First\xe2\x80\x9d campaign consists of nine reminders throughout the year on Agency policy. It began as a\nregional initiative in the San Francisco Region, and SSA adopted it nationally in January 2012.\n\n\n\nSensitive Information at SSA Offices (A-01-13-13025)                                                                   2\n\x0c\xe2\x80\xa2      Office Design: SSA designs the public areas of relocated or remodeled offices where staff\n       and customers discuss PII and sensitive information to safeguard the privacy of members of\n       the public. 6 For example, SSA has incorporated such design features as floor-to-ceiling\n       barrier walls, sound-absorbent material for\n       walls and ceilings, private interview rooms, and\n       the placement of half-walls between the general\n       seating area and interviewing windows in the\n       reception area. However, SSA stated that the\n       availability of financial resources\xe2\x80\x94both in\n       terms of funds to spend on property redesign\n       and the Agency\xe2\x80\x99s ability to replace staff lost to\n       attrition who oversee SSA facilities\xe2\x80\x94has\n       resulted in an incremental approach to\n       designing for privacy. Typically, the Agency\n       reassesses privacy concerns as part of the\n       leasing process\xe2\x80\x94generally 2 years before a\n       lease expires. In the past, some field offices have used recorded background noise (such as\n       ventilation system sounds) to help mask conversation that might be overheard.\n\n\xe2\x80\xa2      Ad hoc Reminders: SSA field office managers told us that whenever they became aware of\n       a concern\xe2\x80\x94in response to a specific incident, for example\xe2\x80\x94management reminds staff to be\n       vigilant in safeguarding sensitive information.\n\nSSA Offices We Visited\nWe made unannounced visits to 38 offices in 9 of SSA\xe2\x80\x99s 10 regions. 7 Specifically, we visited\n24 field offices, 12 hearing offices, and 2 Social Security Card centers located near an Office of\nthe Inspector General, Office of Audit office. We visited all offices during the hours they were\nopen to the public, and we discussed our observations with office management before concluding\nour visit. See Appendix A for additional information on our scope and methodology. The\nresults presented in this report are a snapshot of what we found in specific SSA offices we\nvisited on certain days in April 2013.\n\n\n\n\n6\n    Employee safety is a key concern in certain design elements such as floor-to-ceiling barrier walls.\n7\n  We did not visit any offices in the Seattle Region because we do not have audit staff there. See Appendix B for a\nlist of offices visited.\n\n\n\nSensitive Information at SSA Offices (A-01-13-13025)                                                                  3\n\x0c RESULTS OF REVIEW\n We either observed or overheard sensitive information at risk in 13 (34 percent) of the 38 offices\n we visited. 8 Although offices generally were not expecting our visits, we did not observe\n sensitive information at risk in the remaining 25 (66 percent) offices we visited. See Table 1.\n\n                                          Table 1: Results of Visits\n                                                            NUMBER OF OFFICES             NUMBER OF OFFICES\n                                                                WHERE WE                  WHERE WE DID NOT\n                                           NUMBER\n                                                              OBSERVED OR                    OBSERVE OR\n      TYPE OF SSA OFFICE                  OF OFFICES\n                                                               OVERHEARD                      OVERHEAR\n                                           VISITED\n                                                                SENSITIVE                     SENSITIVE\n                                                              INFORMATION                   INFORMATION\nField Offices                                   24                     11                             13\nDisability Adjudication and\n                                                12                      2                             10\nReview Hearing Offices\nSocial Security Card Centers                    2                       0                             2\n             TOTALS                             38                     13                             25\n\n For example, at the front counter area of one field office, we observed a Social Security card\n (with name and SSN), a letter from SSA to a beneficiary (with their name and address), and a\n printed application for benefits (name, SSN, and claim-specific information). These are all\n documents common in the daily conduct of business at SSA offices.\n\n Additionally, SSA could not control how careful the public was with sensitive information. For\n example, in one hearing office, a conference room available for the use of the claimants and their\n representatives contained a computer. When the room was not in use, we observed sensitive\n information on the computer screen that included medical information, as well as the individual\xe2\x80\x99s\n name, SSN, and date or place of birth. The manager stated that staff frequently reminded visitors\n of the need to be careful.\n\n Figure 1 shows the types and amount of sensitive information we found at risk in 13 of the\n 38 offices visited.\n\n\n\n\n 8\n  Although we observed sensitive information at risk, nothing came to our attention to indicate any members of the\n public actually misused any PII.\n\n\n\n Sensitive Information at SSA Offices (A-01-13-13025)                                                                4\n\x0c                    Figure 1: Types and Amount of Sensitive Information at Risk\n\n\n\n\n  * Other sensitive information included financial and employment information, four incidents each; addresses, two incidents;\n  one incident of educational information; one benefit claim application; and benefit claim information for one interview.\n\nAlthough the Agency\xe2\x80\x99s efforts to create a culture of safeguarding PII has not entirely eliminated\nthe risk of inadvertent disclosure, SSA has established policy and taken action to protect\nsensitive information from being put at risk. For example, as of May 2013, the Agency stated it\nhad installed barrier walls in about 670 (54 percent) of its approximate 1,250 field offices.\n\nAt several offices, management described special efforts it took to safeguard sensitive\ninformation. For example, one office kept small document shredders near the front counter so\nemployees could immediately shred no-longer needed documents with PII, rather than piling\nthem up to take later to a large shredder or collection bin elsewhere in the office. Other offices\nhave placed posters in public areas to remind the public to be careful with sensitive information\n(although they still sometimes find sensitive information carelessly discarded). One office,\nknowing this to be a common occurrence, routinely sent a supervisor into public areas\nspecifically to search for discarded PII.\n\nCONCLUSION\nSensitive information, including PII, is at risk for inadvertent disclosure in SSA offices where the\npublic transacts business with the Agency. Recognizing this, the Agency has taken a number of\nsteps to safeguard sensitive information, including emphasizing to all employees their duty to\nprotect this information and building privacy protections into the physical designs of offices.\nSSA should continue to remind staff on an ongoing basis of the importance of protecting\nsensitive information.\n\nAGENCY COMMENTS\nSSA reviewed the draft report but did not provide any comments. See Appendix C.\n\n\n\n\nSensitive Information at SSA Offices (A-01-13-13025)                                                                            5\n\x0c                                        APPENDICES\n\n\n\n\nSensitive Information at SSA Offices (A-01-13-13025)\n\x0cAppendix A \xe2\x80\x93 SCOPE AND METHODOLOGY\nTo accomplish our objective, we conducted unannounced visits to 38 Social Security\nAdministration (SSA) offices that the public could visit to conduct business. We visited the\noffices during the hours they were open to the public on Tuesday, April 23, 2013; Wednesday,\nApril 24, 2013; or Friday, April 26, 2013.\n\nRather than randomly select the offices we visited, we selected offices located near an Office of\nthe Inspector General, Office of Audit office. Specifically, we visited\n\n\xe2\x80\xa2     24 field offices,\n\xe2\x80\xa2     12 hearing offices, and\n\xe2\x80\xa2     2 Social Security card centers.\n\nAt the SSA offices, we walked through areas accessible to the public and noted personally\nidentifiable information (PII) that a member of the public might see or overhear. We discussed\nthe results with SSA management at the conclusion of each visit.\n\nWe obtained information from SSA regarding office redesign and privacy protection and\nobtained and reviewed SSA policies and procedures related to safeguarding PII.\n\nThe entities audited were field offices and Social Security card centers under the Office of the\nDeputy Commissioner for Operations and hearing offices under the Office of the Deputy\nCommissioner for Disability Adjudication and Review. Also, the Federal Information Security\nManagement Act of 2002 (FISMA) requires that the Agency\xe2\x80\x99s Chief Information Officer ensure\ncompliance with FISMA, which encompasses efforts to safeguard PII. 1 We conducted this\nperformance audit in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objectives. We\nbelieve the evidence obtained provides a reasonable basis for our findings and conclusions based\non our audit objectives.\n\n\n\n\n1\n    FISMA, \xc2\xa7 301, \xc2\xa7 3544(a)(3), 44 U.S.C. \xc2\xa7 3544(a)(3).\n\n\n\nSensitive Information at SSA Offices (A-01-13-13025)                                           A-1\n\x0cAppendix B \xe2\x80\x93 OFFICES VISITED\n                                      Table B\xe2\x80\x931: Offices Visited\n                                                                        SSA\n    TYPE OF OFFICE                                CITY AND STATE\n                                                                     REGION\nField Office                    Fitchburg, Massachusetts           Boston\nField Office                    Gardner, Massachusetts             Boston\nField Office                    Quincy, Massachusetts              Boston\nField Office                    Manchester, New Hampshire          Boston\nHearing Office                  Manchester, New Hampshire          Boston\nField Office                    Providence, Rhode Island           Boston\nHearing Office                  Providence, Rhode Island           Boston\nField Office                    Hoboken, New Jersey                New York\nHearing Office                  New York, New York (Manhattan)     New York\nSocial Security Card Center     New York, New York, (Manhattan)    New York\nField Office                    Union, New Jersey                  New York\nField Office                    Baltimore, Maryland                Philadelphia\nField Office                    Owings Mills, Maryland             Philadelphia\nField Office                    Philadelphia, Pennsylvania         Philadelphia\nHearing Office                  Philadelphia, Pennsylvania         Philadelphia\nSocial Security Card Center     Philadelphia, Pennsylvania         Philadelphia\nField Office                    Washington, District of Columbia   Philadelphia\nHearing Office                  Washington, District of Columbia   Philadelphia\nField Office                    Atlanta, Georgia                   Atlanta\nField Office                    Atlanta, Georgia                   Atlanta\nHearing Office                  Atlanta, Georgia                   Atlanta\nField Office                    Bessemer, Alabama                  Atlanta\nHearing Office                  Birmingham, Alabama                Atlanta\nField Office                    Trussville, Alabama                Atlanta\nField Office                    Chicago, Illinois                  Chicago\nField Office                    Chicago, Illinois                  Chicago\nHearing Office                  Chicago, Illinois                  Chicago\nField Office                    Dallas, Texas                      Dallas\nHearing Office                  Dallas, Texas                      Dallas\nField Office                    Kansas City, Missouri              Kansas City\nHearing Office                  Kansas City, Missouri              Kansas City\nField Office                    Lenexa, Kansas                     Kansas City\nField Office                    Denver, Colorado                   Denver\nHearing Office                  Denver, Colorado                   Denver\nField Office                    Berkeley, California               San Francisco\nHearing Office                  Oakland, California                San Francisco\nField Office                    Richmond, California               San Francisco\nField Office                    Walnut Creek, California           San Francisco\n\n\n\n\nSensitive Information at SSA Offices (A-01-13-13025)                          B-1\n\x0cAppendix C \xe2\x80\x93 AGENCY COMMENTS\nSeptember 17, 2013\n\nSubject: Audit No. 22013043 - OIG Draft Report, "Sensitive Information at Social Security\nAdministration Offices"\n\nSteve,\n\nThank you for the opportunity to review the Office of the Inspector General draft report,\nSensitive Information at Social Security Administration Offices. We agree with the report as\nwritten and offer no comments.\n\nPlease let me know if you have any questions.\n\nTina\n\nTina M. Waddell\nAssistant Deputy Commissioner\n for Budget, Finance and Management\n\n\n\n\nSensitive Information at SSA Offices (A-01-13-13025)                                           C-1\n\x0cAppendix D \xe2\x80\x93 MAJOR CONTRIBUTORS\nJudith Oliveira, Director\n\nDavid Mazzola, Audit Manager\n\nDavid York, Program Analyst\n\nBrennan Kraje, Statistician\n\nAdditionally, Office of Audit staff nationwide conducted the office visits.\n\n\n\n\nSensitive Information at SSA Offices (A-01-13-13025)                          D-1\n\x0c                                           MISSION\nBy conducting independent and objective audits, evaluations, and investigations, the Office of\nthe Inspector General (OIG) inspires public confidence in the integrity and security of the Social\nSecurity Administration\xe2\x80\x99s (SSA) programs and operations and protects them against fraud,\nwaste, and abuse. We provide timely, useful, and reliable information and advice to\nAdministration officials, Congress, and the public.\n\n\n                                   CONNECT WITH US\nThe OIG Website (http://oig.ssa.gov/) gives you access to a wealth of information about OIG.\nOn our Website, you can report fraud as well as find the following.\n   \xe2\x80\xa2   OIG news                                  In addition, we provide these avenues of\n   \xe2\x80\xa2   audit reports\n                                                 communication through our social media\n                                                 channels.\n   \xe2\x80\xa2   investigative summaries\n   \xe2\x80\xa2   Semiannual Reports to Congress                Watch us on YouTube\n   \xe2\x80\xa2   fraud advisories                              Like us on Facebook\n   \xe2\x80\xa2   press releases\n                                                     Follow us on Twitter\n   \xe2\x80\xa2   congressional testimony\n   \xe2\x80\xa2   an interactive blog, \xe2\x80\x9cBeyond The              Subscribe to our RSS feeds or email updates\n       Numbers\xe2\x80\x9d where we welcome your\n       comments\n\n\n                          OBTAIN COPIES OF AUDIT REPORTS\nTo obtain copies of our reports, visit our Website at http://oig.ssa.gov/audits-and-\ninvestigations/audit-reports/all. For notification of newly released reports, sign up for e-updates\nat http://oig.ssa.gov/e-updates.\n\n\n                          REPORT FRAUD, WASTE, AND ABUSE\nTo report fraud, waste, and abuse, contact the Office of the Inspector General via\n   Website:        http://oig.ssa.gov/report-fraud-waste-or-abuse\n   Mail:           Social Security Fraud Hotline\n                   P.O. Box 17785\n                   Baltimore, Maryland 21235\n   FAX:            410-597-0118\n   Telephone:      1-800-269-0271 from 10:00 a.m. to 4:00 p.m. Eastern Standard Time\n   TTY:            1-866-501-2101 for the deaf or hard of hearing\n\x0c'